diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-11-29 10:00:03 +0100 |
---|---|---|
committer | Michael Adam <obnox@samba.org> | 2012-12-02 18:31:00 +0100 |
commit | 0a3396b53683f5efe439bfb8395e275f53108255 (patch) | |
tree | 5021484a0d45b0062f876135290fe430adc7d777 /source3/smbd | |
parent | 8ababf4367eb4faaeeda6cf66191aaf66a3a69da (diff) | |
download | samba-0a3396b53683f5efe439bfb8395e275f53108255.tar.gz samba-0a3396b53683f5efe439bfb8395e275f53108255.tar.bz2 samba-0a3396b53683f5efe439bfb8395e275f53108255.zip |
s3:smbd/open: use Builtin_Administrators as owner of files (if possible)
We do this if the idmap layer resolves Builtin_Administrators
as ID_TYPE_BOTH and if the current token has the
Builtin_Administrators SID or it's SYSTEM.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/open.c | 45 |
1 files changed, 41 insertions, 4 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c index d736f4f795..955660c148 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -28,6 +28,8 @@ #include "../libcli/security/security.h" #include "../librpc/gen_ndr/ndr_security.h" #include "../librpc/gen_ndr/open_files.h" +#include "../librpc/gen_ndr/idmap.h" +#include "passdb/lookup_sid.h" #include "auth.h" #include "serverid.h" #include "messages.h" @@ -3452,11 +3454,14 @@ static NTSTATUS inherit_new_acl(files_struct *fsp) struct security_descriptor *parent_desc = NULL; NTSTATUS status = NT_STATUS_OK; struct security_descriptor *psd = NULL; - struct dom_sid *owner_sid = NULL; - struct dom_sid *group_sid = NULL; + const struct dom_sid *owner_sid = NULL; + const struct dom_sid *group_sid = NULL; uint32_t security_info_sent = (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL); + struct security_token *token = fsp->conn->session_info->security_token; bool inherit_owner = lp_inherit_owner(SNUM(fsp->conn)); bool inheritable_components = false; + bool try_builtin_administrators = false; + const struct dom_sid *BA_U_sid = NULL; size_t size = 0; if (!parent_dirname(frame, fsp->fsp_name->base_name, &parent_name, NULL)) { @@ -3498,10 +3503,42 @@ static NTSTATUS inherit_new_acl(files_struct *fsp) } if (owner_sid == NULL) { - owner_sid = &fsp->conn->session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; + if (security_token_has_builtin_administrators(token)) { + try_builtin_administrators = true; + } else if (security_token_is_system(token)) { + try_builtin_administrators = true; + } + } + + if (try_builtin_administrators) { + struct unixid ids; + bool ok; + + ZERO_STRUCT(ids); + ok = sids_to_unixids(&global_sid_Builtin_Administrators, 1, &ids); + if (ok) { + switch (ids.type) { + case ID_TYPE_BOTH: + BA_U_sid = &global_sid_Builtin_Administrators; + break; + case ID_TYPE_UID: + BA_U_sid = &global_sid_Builtin_Administrators; + break; + default: + break; + } + } + } + + if (owner_sid == NULL) { + owner_sid = BA_U_sid; + } + + if (owner_sid == NULL) { + owner_sid = &token->sids[PRIMARY_USER_SID_INDEX]; } if (group_sid == NULL) { - group_sid = &fsp->conn->session_info->security_token->sids[PRIMARY_GROUP_SID_INDEX]; + group_sid = &token->sids[PRIMARY_GROUP_SID_INDEX]; } status = se_create_child_secdesc(frame, |